Distributed synthesis for well-connected architectures

HAL Id: hal-00306316

https://hal.archives-ouvertes.fr/hal-00306316

Submitted on 1 Aug 2008

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

Distributed synthesis for well-connected architectures

Paul Gastin, Nathalie Sznajder, Marc Zeitoun

To cite this version:

Paul Gastin, Nathalie Sznajder, Marc Zeitoun. Distributed synthesis for well-connected architectures.

FSTTCS06, 2006, Kolkata, India. pp.321-332, �10.1007/11944836_30�. �hal-00306316�

Distributed synthesis for well-connected

architectures

Paul Gastin1_{, Nathalie Sznajder}1_{, and Marc Zeitoun}2 1

LSV, ENS de Cachan & CNRS

61, Av. du Pr´esident Wilson, F-94235 Cachan Cedex, France {Paul.Gastin,Nathalie.Sznajder}@lsv.ens-cachan.fr

2

LaBRI, Universit´e Bordeaux 1 & CNRS

351, Cours de la Lib´eration, F-33405 Talence Cedex, France mz@labri.fr

Abstract. _{We study the synthesis problem for external linear or} branch-ing specifications and distributed, synchronous architectures with arbi-trary delays on processes. External means that the specification only re-lates input and output variables. We introduce the subclass of uniformly well-connected (UWC) architectures for which there exists a routing al-lowing each output process to get the values of all inputs it is connected to, as soon as possible. We prove that the distributed synthesis problem is decidable on UWC architectures if and only if the set of all sets of input variables visible by output variables is totally ordered, under set inclusion. We also show that if we extend this class by letting the routing depend on the output process, then the previous decidability result fails. Finally, we provide a natural restriction on specifications under which the whole class of UWC architectures is decidable.

1

Introduction

Synthesis is an essential problem in computer science considered by Church in [2]. It consists in translating a system property, given in a high level specification language (such as temporal logic) into a low-level equivalent model (such as a fi-nite automaton). The problem can be parametrized by the specification language and the target model. For instance, synthesis for infinite sequential systems from monadic second order formulas is simply B¨uchi’s theorem.

In this paper, we address the synthesis problem for distributed open syn-chronous systems and temporal logic specifications. This specific question has been first studied in [11], where general synthesis has been proved undecidable for LTL specifications, and LTL synthesis for pipeline architectures has been shown non elementarily decidable, the lower bound following from a former result on multiplayer games [10]. For local specifications, constraining only variables lo-cal to processes [8], the general problem is undecidable (though doubly flanked pipelines become decidable.)

?_{Work partly supported by the European research project HPRN-CT-2002-00283}

The pipeline architecture has been shown decidable for CTL∗ full specifica-tions [5], that is, specificaspecifica-tions allowed to constrain all variables of the system. In this case, where decidability of the distributed synthesis is obtained, full specifications strengthen the result.

A decision criterion, established in [3] for full specifications, implies that the architecture of Figure 1 is undecidable. The reason is that specifications are allowed to enforce a constant value on variable t, breaking the link between pro-cesses p0 and p1. For the undecidability part of the criterion, allowing

specifica-tions on all variables allows easy reducspecifica-tions to the basic undecidable architecture of Pnueli and Rosner [11], for instance by breaking communication links at will. In the seminal paper [11], specifications were assumed to be external, or input-output: only variables communicating with the environment could be con-strained. The way processes of the system communicate was only restricted by the communication architecture, not by the specification. This is very natural from a practical point of view: when writing a specification, we are only con-cerned by the input/output behavior of the system and we should leave to the implementation all freedom on its internal behavior. For that reason, solving the problem for external specifications is more relevant and useful - albeit more difficult - than a decidability criterion for arbitrary specifications. We will show that the architecture of Figure 1 is decidable for external specifications, that is, if we do not constrain the internal variable t.

Contributions. We consider the synthesis problem for synchronous semantics, where each process is assigned a nonnegative delay. The delays can be used to model latency in communications, or slow processes. This model has the same expressive power as the one where delays sit on communication channels, and it subsumes both the 0-delay and the 1-delay classical semantics [11,5].

To rule out unnatural properties yielding undecidability, the specifications we consider are external, coming back to the original framework of [11,2]. We first determine a sufficient condition for undecidability with external specifications, that generalizes the undecidability result of [11]. We next introduce uniformly well-connected (UWC) architectures. Informally, an architecture is UWC if there exists a routing of input variables allowing each output process to get, as soon as possible, the values of all inputs it is connected to. Using tree automata, we prove that for such architectures, the sufficient condition for undecidability becomes a criterion, for external specifications. We also propose a natural restriction on specifications for which all UWC architectures becomes decidable.

x0 x1

p0 p1

y0 y1

t

Finally, we introduce the larger class of well-connected architectures, in which the routing of input variables to an output process can depend on that pro-cess. We show that our criterion is not necessary anymore for this larger class. Whether the restricted external specifications are always decidable for this class, as it is the case for UWC architectures, remains open. The undecidability proof highlights the surprising fact that in Figure 1, blanking out a single information bit in the transmission of x0to p1through t suffices to yield undecidability. This

is a step forward in understanding decidability limits for distributed synthesis. Due to lack of space, proofs are omitted or only sketched in this extended abstract. A full version is available in [4].

2

Preliminaries

Trees and tree automata. Given two finite sets X and Y , a Y -labeled (full) X-tree is a (total) function t : X∗_{→ Y where elements of X are called directions,}

and elements of Y are called labels. A word σ ∈ X∗ _{defines a node of t and t(σ)}

is its label. The empty word ε is the root of the tree. A word σ ∈ Xω_{is a branch.}

In the following, a tree t : X∗_{→ Y will be called an (X, Y )-tree.}

A non-deterministic tree automaton (NDTA) A = (X, Y, Q, q0, δ, α) runs on

(X, Y )-trees. It consists of a finite set of states Q, an initial state q0, a transition

function δ : Q × Y → P(QX_{) and an acceptance condition α ⊆ Q}ω_{. A run ρ}

of such an automaton over a (X, Y )-tree t is a (X, Q)-tree ρ such that for all σ∈ X∗_{, (ρ(σ · x))}

x∈X∈ δ(ρ(σ), t(σ)). A run tree is accepting if all its branches

s1s2· · · are such that ρ(ε)ρ(s1)ρ(s1s2) · · · ∈ α. The specific acceptance condition

chosen among the classical ones is not important in this paper. Architectures. An architecture A = (V ] P, E, (Sv₎

v∈V, s0,(dp)p∈P) is a finite

directed acyclic bipartite graph, where V ] P is the set of vertices, and E ⊆ (V × P ) ∪ (P × V ) is the set of edges, such that |E−1_{(v)| ≤ 1 for all v ∈ V .}

Elements of P will be called processes and elements of V variables. Intuitively, an edge (v, p) ∈ V × P means that process p can read variable v, and an edge (p, v) ∈ P × V means that p can write on v. Thus, |E−1_{(v)| ≤ 1 means that}

a variable v is written by at most one process. Input and output variables are defined, respectively, by VI = {v ∈ V | E−1(v) = ∅} and VO = {v ∈ V |

E(v) = ∅}. Variables in V \ (VI∪ VO) will be called internal. We assume that

no process is minimal or maximal in the graph. Each variable v ranges over a finite domain Sv_{, given with the architecture. The initial value of the variables}

is s0 = (sv0)v∈V ∈ Q_v∈V Sv. We will consider that |Sv| ≥ 2 for all v ∈ V . In

fact, if not, such a variable would always have the same value, and could be ignored. It will be convenient in some proofs to assume that {0, 1} ⊆ Sv _and

that sv

0= 0 for all v ∈ V . Each process p ∈ P is associated with a delay dp∈ N

that corresponds to the time interval between the moment the process reads the variables v ∈ E−1_{(p) and the moment it will be able to write on its own output}

variables. Note that delay 0 is allowed. In the following, for v ∈ V , we will often write dv for dp where E−1(v) = {p}.

u w

z1 z2 z3 z4

z12 z13 z14 z23 z24 z34

Fig. 2. An architecture

An example of an architecture is given in Figure 2, where processes are represented by boxes and variables by circles.

Runs. When U ⊆ V , SU_{will denote}Q

v∈US

v_{. A configuration of the architecture}

is given by a tuple s ∈ SV _{describing the value of the variables. For s = (s}v₎ v∈V ∈

SV_{, U ⊆ V , we denote by s}U _{= (s}v₎

v∈U the projection of the configuration s

to the subset of variables U . A run of an architecture is an infinite sequence of configurations, i.e., an infinite word over the alphabet SV_{, starting with the}

initial configuration s0∈ SV given by the architecture. If σ = s0s1s2· · · ∈ (SV)ω

is a run, then its projection on U is σU _{= s}U

0sU1sU2 · · · . Also, we denote by σ[i]

the prefix of length i of σ (by convention, σ[i] = ε if i ≤ 0). A run tree is a full tree t : (SVI₎∗_{→ S}V_{, where t(ε) = s}

0 and for ρ ∈ (SVI)∗, r ∈ SVI, we have

(t(ρ · r))VI _{= r. The projection of t on U ⊆ V is the tree t}U _{: (S}VI₎∗ _{→ S}U

defined by tU_{(ρ) = t(ρ)}U_.

Specifications. Specifications over a set U ⊆ V of variables can be given, for instance, by a µ-calculus, CTL∗, CTL, or LTL formula, with atomic propositions of the form (v = a) for v ∈ U and a ∈ Sv_{. We then say that the formula is in}

L(U ) where L is the logic used. A specification is external if U ⊆ VI∪ VO. The

validity of an external formula on a run tree t (or simply a run) only depends on its projection tVI∪VO _{onto V}

I∪ VO.

Programs, strategies. We consider a discrete time, synchronous semantics. In-formally, at step i = 1, 2, . . ., the environment provides new values for input variables. Then, each process p reading values written by its predecessors or by the environment at step i − dp, computes values for the variables it writes to,

and writes them. Let v ∈ V \ VI and let R(v) = E−2(v) be the set of variables

read by the process writing to v. Intuitively, from a word (s0σ)R(v)in (SR(v))+

representing the projection on R(v) of some run prefix, a program (or a strat-egy) advices a value to write on variable v. But, since the process may have a certain delay dv, the output of the strategy must not depend on the last dv

values of (s0σ)R(v). Since all runs begin by s0, this initial configuration is

ir-relevant for a strategy which only depends on σR(v)_{. Formally, a program (or}

local strategy) for variable v is a mapping fv _{: S}R(v)
+

→ Sv _{compatible with}

the delay dv, i.e., such that for all ρ, ρ0 ∈ (SR(v))i, if ρ[i − dv] = ρ0[i − dv],

then fv_{(ρ) = f}v_(ρ0_{). This condition ensures that the delay d}

vis respected when

strategy) is a tuple F = (fv₎

v∈V \VI of local strategies. A run σ ∈ (S

V₎ω _{is an}

F-run (or F -compatible) if for all v ∈ V \ VI, svi = fv(σR(v)[i]). Given an input

sequence ρ ∈ (SVI₎ω_{, there is a unique run σ which is F -compatible and such}

that σVI _{= ρ. The F -run tree is the run tree t : (S}VI₎∗ _{→ S}V _{such that each}

branch is labeled by a word s0s1s2· · · ∈ (SV)ω which is an F -run. Note that,

in an F -run, the prefix σ[i] only depends on the prefix ρ[i]. This shows that the F-run tree is unique.

For a variable v ∈ V , we let View(v) = (E−2₎∗_{(v) ∩ V}

I be the set of input

variables v might depend on. Observe that if s0σ is an F -run then, for all v ∈

V \ VI, for all i > 0, svi only depends on σView(v)[i]. This allows us to define the

summary ˆfv _{: (S}View(v)₎+ _{→ S}v _{such that ˆf}v_(σView(v)_{[i]) = s}v

i, corresponding

to the composition of all local strategies used to obtain the value of v. Remark 1. The compatibility of the strategies F = (fv₎

v∈V \VI with the

de-lays (dv)v∈V \VI extends to the summaries ˆF = ( ˆf

v₎

v∈V \VI. Formally, a map

h : (SView(v)₎+ _{→ S}v _{is compatible with the delays if for all ρ ∈ (S}View(v)₎i_,

h(ρ) only depends on the prefixes (ρu_{[i − d(u, v)])}

u∈View(v), where d(u, v) is the

smallest cumulative delay of transmission between u and v, i.e., d(u, v) = min{dv1+ · · · + dvn| u E

2_v

1E2. . . E2vn= v is a path in A}.

The strategy fv _{is memoryless if it does not depend on the past, that}

is, if there exists g : SR(v) _{→ S}v _{such that f}v_(s

1· · · si· · · si+dv) = g(si) for

s1· · · si+dv ∈ (S

R(v)₎+_{. In case d}

v = 0, this corresponds to the usual definition

of a memoryless strategy.

Distributed synthesis problem. Let L be a specification language. The distributed synthesis problem for an architecture A is the following: given a formula ϕ ∈ L, decide whether there exists a distributed program F such that every F -run (or the F --run tree) satisfies ϕ. We will then say that F is a distributed implementation for the specification ϕ. If for some architecture the synthesis problem is undecidable, we say that the architecture itself is undecidable (for the specification language L).

3

Architectures with uncomparable information

In this section, we state a necessary condition for decidability.

Definition 2. An architecture has uncomparable information if there exist vari-ables x, y ∈ VO such that View(x) \ View(y) 6= ∅ and View(y) \ View(x) 6= ∅.

Otherwise the architecture has linearly preordered information.

For instance, the architectures of Figures 1 and 3 have linearly preordered information. The following proposition extends the undecidability result of [11,3]. Proposition 3. Architectures with uncomparable information are undecidable for LTL or CTL external specifications.

4

Uniformly well-connected architectures

This section introduces the new class of uniformly well-connected (UWC) archi-tectures and provides a decidability criterion for the synthesis problem on this class. It also introduces the notion of robust specifications and shows that UWC architectures are always decidable for external and robust specifications.

A routing for an architecture A = (V ∪ P, E, (Sv₎

v∈V, s0,(dp)p∈P) is a family

Φ = (fv₎

v∈V \(VI∪VO) of memoryless local strategies. Observe that a routing

does not include local strategies for output variables. Informally, we say that an architecture is uniformly well connected if there exists a routing Φ that allows to transmit to every output variable v, with a minimal delay, the value of the variables in View(v).

Definition 4. An architecture A is uniformly well-connected (UWC) if there exist a routing Φ and, for every v ∈ VO and u ∈ View(v), a decoding function

gu,v_{: S}R(v)
+

→ Su _{that can reconstruct the value of u, i.e., such that for any}

Φ-compatible sequence σ = s1s2· · · ∈ SV\VO
+ , we have for i > 0 sui = g u,v_(σR(v)_{[i + d(u, v) − d} v]) (1)

In case there is no delay, the uniform well-connectedness refines the notion of adequate connectivity introduced by Pnueli and Rosner in [11], as we no longer require each output variable to be communicated the value of all input variables, but only those in its view. In fact, this gives us strategies for internal variables, that are simply to route the input to the processes writing on output variables. Observe that, given an architecture, there is a finite number of routings and a finite number of decoding functions, so that the property of being UWC is NP. Actually, the problem is NP-complete: using a natural reduction, this follows from the NP-hardness of the multicast problem [7], which is a special instance of the network information flow problem [1].

We first show that distributed programs are somewhat easier to find in a UWC architecture. As a matter of fact, in such architectures, to define a dis-tributed strategy it suffices to define a collection of input-output strategies that respect the delays given by the architecture.

Lemma 5. Let A = (V ∪ P, E, (Sv₎

v∈V, s0,(dp)p∈P) be a UWC architecture.

For each v ∈ VO, let hv : (SView(v))+ → Sv be an input-output mapping which

is compatible with the delays of A. Then there exists a distributed program F = (fv₎

v∈V \VI over A such that h

v_{= ˆf}v _{for all v ∈ V} O.

We now give a decision criterion for this specific subclass of architectures. Theorem 6. A UWC architecture is decidable for external (linear or branching) specifications if and only if it has linearly preordered information.

We have already seen in Section 3 that uncomparable information yields undecidability of the synthesis problem for LTL or CTL external specifications.

We prove now that, when restricted to the subclass of UWC architectures, this also becomes a necessary condition.

We assume that the architecture A is UWC and has linearly preordered information, and therefore we can order the output variables VO = {v1, . . . , vn}

so that View(vn) ⊆ · · · ⊆ View(v1) ⊆ VI.

In the following, in order to use tree-automata, we extend a strategy f : (SX₎+ _{→ S}Y _{by f (ε) = s}Y

0 so that it becomes a (SX, SY)-tree. We proceed

in two steps. First, we build an automaton accepting all the global input-output 0-delay strategies implementing the specification. A global input-output 0-delay strategy for A is a (SView(v1)_{, S}VO_{)-tree h satisfying h(ε) = s}VO

0 . This first step

is simply the program synthesis for a single process with incomplete information (since we may have View(v1) ( VI). This problem was solved in [6] for CTL∗

specifications.

Proposition 7 ([6, Th. 4.4]). Given an external specification ϕ ∈ CTL∗(VI∪

VO), one can build a NDTA A1 over (SView(v1), SVO)-trees such that h ∈ L(A1)

if and only if the run tree induced by h satisfies ϕ.

If L(A1) is empty, then we already know that there are no distributed

im-plementations for the specification ϕ over A. Otherwise, thanks to Lemma 5, we have to check whether for each v ∈ VO there exists an (SView(v), Sv)-tree hv

which is compatible with the delays and such that the global strategyL

v∈VOh

v

induced by the collection (hv₎

v∈VOis accepted by A1. Formally, the sum of

strate-gies is defined as follows. Let X = X1∪ X2⊆ VI and Y = Y1] Y2⊆ VO, and for

i= 1, 2 let hi be a (SXi, SYi)-tree. We define the (SX, SY)-tree h = h1⊕ h2 by

h(σ) = (h1(σX1), h2(σX2)) for σ ∈ (SX)∗.

To check the existence of such trees (hv₎

v∈VO, we will inductively eliminate

the output variables following the order v1, . . . , vn. It is important that we start

with the variable that views the largest set of input variables, even though, due to the delays, it might get the information much later than the remaining variables. Let Vk = {vk, . . . , vn} for k ≥ 1. The induction step relies on the

following statement.

Proposition 8. Let 1 ≤ k < n. Given a NDTA Ak accepting (SView(vk), SVk

)-trees, we can build a NDTA Ak+1 accepting (SView(vk+1), SVk+1)-trees, such that

a tree t is accepted by Ak+1 if and only if there exists a (SView(vk), Svk)-tree hvk

which is compatible with the delays and such that hvk⊕ t is accepted by A

k.

The proof of Proposition 8 divides in two steps. Since Vk = {vk} ∪ Vk+1, for

each (SView(vk)

, SVk_{)-tree t we have t = t}vk_⊕tVk+1_{(recall that t}U_{is the projection}

of t on U ). So one can first turn the automaton Ak into A0kthat accepts the trees

t∈ L(Ak) such that tvkis compatible with the delays (Lemma 9). Then, one can

build an automaton that restricts the domain of the directions and the labeling of the accepted trees to SView(vk+1) _{and S}Vk+1 _{respectively.}

Lemma 9. Let v ∈ U ⊆ VO. Given a NDTA A over (SView(v), SU)-trees one

can build a NDTA A0 _{= compat}

v(A) also over (SView(v), SU)-trees such that

Proof. Intuitively, to make sure that the function tv _{is compatible with the}

delays, the automaton A0 _{will guess in advance the values of t}v _{and then check}

that its guess is correct. The guess has to be made K = max{d(u, v), u ∈ View(v)} steps in advance and consists in a function g : (SView(v)₎K _{→ S}v _that

is already compatible with the delays and that predicts what will be the v-values Ksteps later. During a transition, the guess is sent in each direction r ∈ SView(v)

as a function r−1_{g defined by (r}−1_{g)(σ) = g(rσ) which is stored in the state of}

the automaton. Previous guesses are refined similarly and are also stored in the state of the automaton so that the new set of states is Q0 _{= Q × F where F}

is the set of functions f : (SView(v)₎<K _{→ S}v _{which are compatible with the}

delays, where Z<K ₌S

i<KZ

i_{. The value f (ε) is the guess that was made K}

steps earlier and has to be checked against the current v-value of the tree. Transitions of A0_{will be defined using the function ∆ : F × S}View(v)_{→ P(F)}

given by ∆(f, r) = {f0 _{| f}0_{(σ) = f (rσ) for |σ| < K − 1}. Note that the values}

f0(σ) for |σ| = K − 1 do not depend on f and correspond to the new guess g refined by r as intuitively described above. Now, the transition function of A0 _is

δ0 (q, f ), (f (ε), s)
=  (qr, fr)r∈SView(v)    (qr)r∈SView(v)∈ δ(q, (f (ε), s)) and

fr∈ ∆(f, r) for all r ∈ SView(v)

 . Finally, the set of initial states of A0 _{is I}0 _{= {q}

0} × F and α0 = π−1(α) where

π: (Q×F)ω_{→ Q}ω_{is the projection on Q, i.e., a run of A}0_{is accepted if and only}

if its projection on Q is an accepted run of A. One can check that the automaton

A0 _{satisfies the requirements of Lemma 9.} ut

Proof (of Proposition 8). We consider the NDTA compatvk(Ak). It remains

to project away the Svk _{component of the label and to make sure that the}

SVk+1 _{component of the label only depends on the S}View(vk+1) _{component of}

the input. The first part is the classical projection on SVk+1 _{of the automaton}

and the second part is the narrowing construction introduced in [6]. The au-tomaton Ak+1 fulfilling the requirements of Proposition 8 is therefore given by

narrowView(vk+1)(projVk+1(compatvk(Ak))). Note that, even when applied to a

NDTA, the narrowing construction of [6] yields an alternating tree automaton. Here we assume that the narrowing operation returns a NDTA using a classical transformation of alternating tree automata into NDTA [9]. The drawback is that this involves an exponential blow up. Unfortunately, this is needed since

Lemma 9 requires a NDTA as input. ut

We can now conclude the proof of Theorem 6. Using Proposition 8 induc-tively starting from the NDTA A1 of Proposition 7, we obtain a NDTA An

accepting a (SView(vn)_{, S}vn)-tree hvn if and only if for each 1 ≤ i < n, there

exists a (SView(vi)_{, S}vi)-tree hvi which is compatible with the delays and such

that hv1_{⊕ · · · ⊕ h}vnis accepted by A

1. Therefore, using Remark 1 and Lemma 5,

there is a distributed implementation for the specification over A if and only if L(compatvn(An)) is nonempty. The overall procedure is non-elementary due to

We now show that we can obtain decidability of the synthesis problem for the whole subclass of UWC architectures by restricting ourselves to specifications that only relate output variables to their own view.

Definition 10. A specification ϕ ∈ L with L ∈ {LTL, CTL, CTL∗} is robust if it is a (finite) disjunction of formulas of the form V

v∈VOϕv where ϕv ∈

L(View(v) ∪ {v}).

Proposition 11. The synthesis problem for UWC architectures and external robust CTL∗ specifications is decidable.

Proof. Let A = (V ∪P, E, (Su₎

u∈V, s0,(dp)p∈P) be a UWC architecture and ϕ be

an external and robust CTL∗specification. Without loss of generality, we may as-sume that ϕ =V

v∈VOϕvwhere ϕv∈ CTL

∗_{(View(v)∪{v}). Using Proposition 7,}

for each v ∈ VO we find a NDTA Av accepting a strategy h : (SView(v))∗ → Sv

if and only if the induced run tree tv : (SView(v))∗ → SView(v)∪{v} satisfies ϕv.

Using Remark 1 and Lemma 5 one can show the following claim from which Proposition 11 follows.

Claim. There exists a distributed implementation of ϕ over A if and only if for each v ∈ VO, the automaton compatv(Av) is nonempty. ut

5

Well-connected architectures

It is natural to ask whether the decision criterion for UWC architectures can be extended to a larger class. In this section, we relax the property of uniform well-connectedness and show that, in that case, linearly preordered information is not anymore a sufficient condition for decidability.

Definition 12. An architecture is said to be well-connected, if for each output variable v ∈ VO, the sub-architecture consisting of (E−1)∗(v) is uniformly

well-connected.

The architecture of Figure 2 is well-connected but not UWC when the vari-ables are boolean. This follows from similar results on the multicast problem [7]. Hence, the subclass of UWC architectures is strictly contained in the subclass of well-connected architecture. Note that the size of the variable domains has a major influence: any well-connected architecture with sufficiently large domain sizes is UWC.

The following theorem asserts that, unfortunately, the decision criterion can-not be extended to well-connected architectures.

Theorem 13. The synthesis problem for LTL specifications and well-connected, linearly preordered architectures is undecidable.

Let A be the architecture of Figure 3, in which all the delays are set to 0, and which is clearly well-connected and linearly preordered. To show its unde-cidability, fix a deterministic Turing machine M with tape alphabet Γ and state

set Q. We reduce the non halting problem of M starting from the empty tape to the distributed implementability of an LTL specification over A. Let Sz_{= {0, 1}}

for z ∈ V \ {x, y} and Sx_{= S}y _{= Γ ] Q ] {#} where # is a new symbol. As}

usual, the configuration of M defined by state q and tape content γ1γ2, where

the head scans the first symbol of γ2, is encoded by the word γ1qγ2∈ Γ∗QΓ+.

An input word u ∈ 0∗₁p_{0{0, 1}}ω_{encodes the integer n(u) = p and similarly for v.}

We construct an LTL specification ϕM forcing any distributed implementation

to output on variable x the n(u)th _{configuration of M starting from the empty}

tape. Processes p0 and p6 play the role of the two processes of the undecidable

architecture of Pnueli and Rosner. The difficulty is to ensure that process p6

cannot receive relevant information about u.

The specification ϕM is a conjunction of five properties described below that

can all be expressed in LTL(VI∪ VO).

1. The processes pi for i 6= 6 have to output the current values of u and w

until (including) the first 1 occurs on w. Afterwards, they are unconstrained. Process p6must always output the value of w on w6. Moreover, after the first

1 on w, it also has to output the current value of u on u6. We can describe

this property with a formula α.

2. If the input word on u (resp. v) is in 0q₁p_{0{0, 1}}ω_{, then the corresponding}

output word x (resp. y) is in #q+pΓ∗QΓ+#ω_{. This can be expressed by a}

formula β.

3. We next express with a formula γ that if n(u) = 1, then the output on x is the first configuration C1 of M starting from the empty tape.

4. We say that the input words are synchronized if u, v ∈ 0q₁p_{0{0, 1}}ω _{or if}

u ∈ 0q₁p+1_{0{0, 1}}ω _{and v ∈ 0}q+1₁p_{0{0, 1}}ω_{. We use a formula δ to express}

the fact that if u and v are synchronized and n(u) = n(v), then the outputs on x and y are equal.

5. Finally, one can express with an LTL formula ψ that if the input words are synchronized and if n(u) = n(v) + 1, then the configuration encoded on x is obtained by a computation step of M from the configuration encoded on y.

We first show that there exists a distributed implementation of ϕM over A.

Let ⊕ be the addition modulo 2 (xor). Process p0 forwards u to z0. Process q

u w v x p0 z0 q z1 z2 z3 z4 p1 p2 p3 p4 p5 p6 u1 w1 u2 w2 u3 w3 u4 w4 u5 w5 u6 w6 y

forwards u to z1, u ⊕ w to z2and w to z3. The strategy for z4is not memoryless.

Process q forwards w to z4until (including) the first 1 on w and then it forwards

u⊕w to z4. Formally, fz4(u, 0qb) = b and fz4(ub1,0q1wb2) = b1⊕b2. We also use

memoryless strategies for the processes piso that α is satisfied. For instance, the

strategy for p1 is f1(b1, b2) = (b1, b1⊕ b2) and the strategy for p6 (y excluded)

is f6_(b

3, b4) = (b3⊕ b4, b3). It is easy to see that with these strategies, the first

property α of the specification is satisfied.

The strategy fx _{(respectively f}y_{) is to output the p}th _{configuration of M}

starting from the empty tape when u (respectively v) encodes p. Then, the rest of the specification, β ∧ γ ∧ δ ∧ ψ, is satisfied.

Remark 14. Actually, one can define another distributed implementation by changing only the strategy fz4_{: at each step, process q transmits to p}

6the value

of u at the preceding step as the mod 2 difference between z3 and z4, until the

first 1 occurs on w. Formally, fz4_(u·a

1·a2,0qb) = a1⊕b and we adapt the

strate-gies of p1, . . . , p6so that α is satisfied. By xoring its two arguments, process p6

can then recover the whole history of u, except the bit occurring simultaneously with the first 1 of w. Hence, we are almost in the situation of the decidable architecture of Figure 1, but surprisingly, missing only one bit of information suffices to induce undecidability.

Let now F = (fv₎

v∈V \VI be a distributed implementation of ϕM on the

architecture A of Figure 3. We prove that fx_{must simulate the computation of}

M starting from the empty tape.

Let q ≥ 0. For u = 0q_1u0_{, we define u}0_{= 0}q_0u0_{. The next lemma states that}

strategies fz3 _{(resp. f}z4_{) must output the same sequence for u and u}0 _{if the}

input word w is suitable. This is the main technical lemma whose proof relies on the specification α.

Lemma 15. Let u, w ∈ 0q_{1{0, 1}}ω_{. For k ∈ {3, 4}, we have for all n > 0:}

ˆ fzk

(u0[n], w[n]) = ˆfzk

(u[n], w[n]). (2)

Lemma 16. If x is computed by fx _{from the input word u then for all p > 0}

we have

∀q ≥ 0, u∈ 0q₁p_{0{0, 1}}ω_{=⇒ x = #}p+q_C

p#ω (3)

where Cp is the p-th configuration reached by M starting from the empty tape.

Proof. The proof is by induction on p. The case p = 1 follows from the specifica-tion γ. Assume now that u ∈ 0q₁p+1_{0{0, 1}}ω_{and let v = 0}q+1₁p₀ω_{and w = 0}q₁ω_.

By induction, for u0∈ 0q+1₁p_{0{0, 1}}ω_{the output is x = #}q+1+p_C

p#ω. Using δ,

we deduce that on the input triple (u0_{, v, w) the output is y = x = #}q+1+p_C p#ω.

Now, by Lemma 15, on the input pairs (u0_{, w) and (u, w), the outputs on z} 3and

z4 are the same. Hence, on the input triples (u0, v, w) and (u, v, w) the outputs

on y must be y = #q+1+p_C

p#ω by the above. Using ψ, we deduce that on the

input triple (u, v, w) the output on x must be x = #q+1+p_C

p+1#ω. This

con-cludes the proof since x only depends on u. ut

It is then easy to get the undecidability of the architecture A of Figure 3 by considering the specification ϕM ∧ G(x 6= halt).

6

Conclusion

In this paper, we have argued that it is meaningful to rule out specifications for distributed architectures constraining internal variables. We have shown that every decidable architecture is linearly preordered, and that this condition is sufficient for deciding external specifications on UWC architectures. On the other hand, we have exhibited a linearly preordered, yet undecidable well-connected architecture for external LTL specifications, by simulating the loss of a single information bit on the UWC architecture of Figure 1.

Finally, we have shown that all UWC architectures are decidable for external and robust specifications, i.e., specifications constraining external variables which are causally related by a communication path. A challenging problem is to find whether this still holds for well-connected architectures.

References

1. R. Ahlswede, N. Cai, S.-Y. R. Li, and R. W. Yeung. Network information flow. IEEE Trans. Inform. Theory, 46(4):1204–1216, 2000.

2. A. Church. Logic, arithmetic, and automata. In Int. Symp. of Mathematicians, pages 23–35, 1962.

3. B. Finkbeiner and S. Schewe. Uniform distributed synthesis. In Proc. 20th IEEE Symp. on Logic in Computer Science (LICS 2005). IEEE Computer Society, 2005. 4. P. Gastin, N. Sznajder, and M. Zeitoun. Distributed synthesis for well-connected

architectures. Technical report, LSV, 2006.

5. O. Kupferman and M. Y. Vardi. Synthesizing distributed systems. In Proceedings of LICS’01. Computer Society Press, 2001.

6. O. Kupferman and M. Y. Vardi. Church’s problem revisited. The Bulletin of Symbolic Logic, 5(2):245–263, June 1999.

7. A. R. Lehman and E. Lehman. Complexity classification of network information flow problems. In Proceedings of SODA’04, pages 142–150. SIAM, 2004.

8. P. Madhusudan and P. S. Thiagarajan. Distributed controller synthesis for local specifications. In Proceedings of ICALP’01, volume 2076 of Lect. Notes Comp. Sci., pages 396–407. Springer, 2001.

9. D. E. Muller and P. E. Schupp. Simulating alternating tree automata by nondeter-ministic automata: New results and new proofs of theorems of Rabin, McNaughton and Safra. Theoret. Comput. Sci., 2(1):90–121, 1995.

10. G. Peterson and J. Reif. Multiple-person alternation. In 20th Annual Symposium on Foundations of Computer Science (San Juan, Puerto Rico, 1979), pages 348– 363. IEEE, New York, 1979.

11. A. Pnueli and R. Rosner. Distributed reactive systems are hard to synthesize. In Proceedings of 31th IEEE Symp. FOCS, pages 746–757, 1990.